LogoRegulatory Alerts
2022-03-15

Bank of Israel Adjustments to Proper Conduct of Banking Business Directives for New Banking Corporations

The Bank of Israel has amended Proper Conduct of Banking Business Directive no. 480 to tighten regulatory requirements for new banking corporations and those in formation. Key changes include reducing the limited license activity threshold to NIS 100 million, mandating annual board-approved exit plans, and revoking leniencies for IT management outsourcing and CEO dual roles. The amendments also align formation-stage requirements with existing directives on corporate governance, risk management, and cyber defense while updating liquidity and indebtedness rules.

Bank of Israel logo

Israel

Bank of Israel

Click to view thumbnail

Bank of Israel Banking Supervision Department Policy and Regulation Division 1 March 15, 2022 Circular Number C-06-2700 Attn: The Banking Corporations Re: Adjustments to Proper Conduct of Banking Business Directives that Apply to a New Banking Corporation (Proper Conduct of Banking Business Directive no. 480) Introduction

  1. In view of experience accrued by the Banking Supervision Department, it became necessary to update the Directive.
  2. After consulting with the Advisory Committee on Banking Business Affairs and with the approval of the Governor, I have decided to amend the Directive in the manner specified below. Main provisions of the amendments
  3. Definition of “limited license” (Section 6)—the extent of activity in which a banking corporation in formation may engage is reduced from NIS 250 million to NIS 100 million. Explanatory notes: The purpose of a limited license is to enable a banking corporation to complete the requisite preparations to operate as a new banking corporation, including the piloting of its systems and processes. The experience accrued demonstrates the need to strike a balance among the intended goal of the limited-license period, the relaxed regulation that applies to a banking corporation in formation (Chapter G of the Directive), and the amount of time in which the banking corporation must complete its preparations. Accordingly, the extent of activity in which a banking corporation in formation may engage is reduced in order to reduce its exposure to risks and encourage it to complete its preparations more quickly.
  4. Clarification concerning the “banking corporation in formation” stage (Section 9a)—it is stated for clarity that the process described in this Chapter for the receipt of a limited bank license, shall not apply to an entity that fails to comply with all conditions set forth in the definition of a “banking corporation in formation", including the extent of activity set forth in a limited license. Explanatory notes: A clarification is added that the path of a banking corporation in formation and a limited license shall not apply to just any new banking corporation but rather only to one that complies with the conditions set forth in the definitions.

Bank of Israel Banking Supervision Department Policy and Regulation Division 2 5. Exit plan (Section 9b)—a new banking corporation must have in place an exit plan that will allow it to wind up its activity without negatively impacting the banking system and its customers. Said exit plan shall be invoked, for example, when the business model proves to be inapplicable or when the new banking corporation fails to raise the requisite capital. The exit plan shall be adjusted to the business plan and the extent and complexity of the new banking corporation’s actual activity. The Board of Directors shall approve the plan at least once a year and shall approve amendments introduced in it. Explanatory notes: A clause is added requiring a new banking corporation (and not only a banking corporation in formation) to have in place an exit plan. Said plan is meant to prevent, or at least mitigate, possible harm to customers’ money and the financial system in the event that the new banking corporation terminates its activity. A similar requirement is in place in the UK. 6. Proper Conduct of Banking Business Directive no. 222, “Net Stable Funding Ratio” (Section 14)—a reference to Proper Conduct of Banking Business Directive no. 222 is added, according to which the Directive shall not apply to a new banking corporation that chooses to comply with a simple liquidity ratio as defined in the Directive. Explanatory notes: In view of the publication of Proper Conduct of Banking Business Directive no. 222 (“Net Stable Funding Ratio”), a reference is added to the inapplicability of this Directive to a new banking corporation provided it complies with the conditions set forth. 7. Proper Conduct of Banking Business Directive no. 301, “Board of Directors” (Section 15(a)(2))—a minimum frequency for the submission of reports is added. 8. Proper Conduct of Banking Business Directive 315, “Industry Indebtedness Limitation” (Section 22)—the conditions for non-incidence of the industry indebtedness limitation are revised, it being determined that the Directive shall not apply to a new banking corporation unless the total indebtedness of borrowers of the corporation who are not “private individuals,” in the sense of “credit to private individuals in Section 14 of Appendix 5 to Reporting to the Public Directive of the Supervisor of Banks no. 651, exceeds NIS 2 billion. Explanatory notes: In view of the experience accrued, it was decided to remove the limitation expressed as a percentage of total credit activity. 9. Proper Conduct of Banking Business Directive no. 357, “Information Technology Management” (Section 26)— (a) The leniencies established in this Section are amended as follows: (1) The possibility of a CEO also serving as the information-technology manager is revoked.

Bank of Israel Banking Supervision Department Policy and Regulation Division 3 (2) The possibility of outsourcing the function of information-technology manager is revoked. (3) A new banking corporation that wishes to outsource the function of information-security manager must comply with additional conditions as set forth in this Directive concerning the outsourcing of the cyber-defense manager function. Explanatory notes: Experience accrued shows that the function of information-technology manager is a crucial one that entails large-scale resources and cannot be carried out together with another significant function such as the Chief Executive Officer. The importance of having this officer as an employee of the banking corporation also became clear. Consequently, the possibility of allowing the CEO of a new banking corporation to hold both positions—CEO and information-technology manager—is revoked, as is the possibility of outsourcing the information-technology manager function. The information-security manager is an important and material function in a banking corporation. While the possibility of outsourcing this function remains open, conditions that the banking corporation must meet in order to assure appropriate conduct in this matter are added. 10. Proper Conduct of Banking Business Directive no. 359A, “Outsourcing” (Section 27)—the Section is revoked. Explanatory notes: In view of the amendment to Section 38 of Proper Conduct of Banking Business Directive no. 359A, applied on June 21, 2021 that allows a banking corporation to use outsourcing for a proactive approach to households for the purpose of referring them to the banking corporation, the need for lenience has become superfluous. 11. Proper Conduct of Banking Business Directive no. 361, “Cyber Defense Management” (Section 28)—the conditions that must be met in order to outsource the function of cyber-defense manager are fine-tuned to require, inter alia, the approval of the Board of Directors and prior written reporting to the Banking Supervision Department. Furthermore, a person named to this function at the service provider must be a single specific employee, and the banking corporation shall ensure that the service provider implements appropriate measures to prevent conflict of interests. Explanatory notes: In view of experience accrued, the conditions that must be met in order to outsource the function of cyber-defense manager have been revised. Emphasis is placed on prior approval of the Board of Directors, reporting to the Banking Supervision Department, and expectations of the service provider in the sense of adequate resource allocation for this purpose and assurance of absence of conflict of interests.

Bank of Israel Banking Supervision Department Policy and Regulation Division 4 12. Banking corporation in formation (Chapter G)—the requirements that apply to a banking corporation in formation are revised as follows: (a) In regard to the Board of Directors—instead of the requirements set forth in the Directive, a banking corporation in formation shall apply Proper Conduct of Banking Business Directive no. 301, mutatis mutandis in respect of a new banking corporation. (b) In regard to risk management—instead of the requirements set forth in the Directive, a banking corporation in formation shall apply Proper Conduct of Banking Business Directive no. 310, mutatis mutandis in respect of a new banking corporation. (c) A requirement is added concerning the application of Proper Conduct of Banking Business Directive no. 308A regarding the handling of complaints from the public, mutatis mutandis in respect of a new banking corporation. (d) In regard to business continuity—instead of the requirements set forth in the Directive, Proper Conduct of Banking Business Directive no. 355 shall apply to a banking corporation in formation. (e) In respect of senior officers' approval—in view of the application of Proper Conduct of Banking Business Directive no. 301 to a banking corporation in formation, as noted in Subsection (a), the provision that relates to this matter has become superfluous. (f) The following requirements are added:

  1. Management of information technology—Proper Conduct of Banking Business Directive no. 357 shall apply, mutatis mutandis in respect of a new banking corporation.
  2. Management of cyber defense—Proper Conduct of Banking Business Directive no. 361 shall apply, mutatis mutandis in respect of a new banking corporation.
  3. Cloud computing—Proper Conduct of Banking Business Directive no. 362 shall apply, mutatis mutandis in respect of a new banking corporation.
  4. Supply chain cyber risk management—Proper Conduct of Banking Business Directive no. 363 shall apply.
  5. Reporting of technological failures and cyber events—Proper Conduct of Banking Business Directive no. 366 shall apply.
  6. E-banking—Proper Conduct of Banking Business Directive no. 367 shall apply. (g) Exit plan – Instead of the provisions of the Section, a reference to the new Section 9B shall be added. Explanatory notes: In view of the experience accrued, it was decided to tighten the requirements that apply to a banking corporation in formation in respect of corporate governance, risk management and compliance, information technology and security, and business continuity, because even at this stage the risks in these fields are considerable.

Bank of Israel Banking Supervision Department Policy and Regulation Division 5 Date of effect 13. The contents of this Circular shall go into effect on the date the Circular is published, with the exception of Section 9b of the Directive, which shall go into effect six months after the date on which this Circular is published. File update 14. Update pages for the Proper Conduct of Banking Business Directives file are attached. The following are the update instructions: Remove page Insert page 480-1-15 [2] (9/21) 480-1-15 [3] (3/22) Respectfully, Yair Avidan Supervisor of Banks

Share